SSL VPN Deployment Guide: A Step-by-Step Technical Guide

SSL VPN
Deployment Guide
A Step-by-Step Technical Guide
Deployment Guide
Deployment Guide
Notice:
The information in this publication is subject to change without notice.
THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NONINFRINGEMENT. CITRIX SYSTEMS, INC. (CITRIX), SHALL NOT BE LIABLE FOR
TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT,
INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING,
PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
This publication contains information protected by copyright. Except for internal distribution, no part
of this publication may be photocopied or reproduced in any form without prior written consent from
Citrix.
The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying
such products. Citrix does not warrant products other than its own.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective
companies.
Copyright 2007 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-
2009 U.S.A. All rights reserved.
Table of Contents
Introduction ..........................................................................................................................................4
Solution Requirements ..........................................................................................................................5
Prerequisites .........................................................................................................................................5
Network Diagram .................................................................................................................................6
First time connectivity ...........................................................................................................................7
Serial Connection ............................................................................................................................7
Ethernet Connection ........................................................................................................................7
NetScaler Conguration ........................................................................................................................8
Deployment Model: Netscaler High Availability, Two-Arm Mode, SSL VPN .......................................8
Important Considerations for NetScaler High Availability ...................................................................9
High Availability Command Synchronization ...................................................................................12
Important NetScaler IP Addresses .................................................................................................13
IP Addresses, Interfaces and VLANs ..............................................................................................14
SSL Keys & Certicates ......................................................................................................................16
Obtaining Keys and Certicates .....................................................................................................16
Using the SSL Certicate Wizard ...................................................................................................16
SSL VPN Conguration ......................................................................................................................20
SSL VPN Wizard ............................................................................................................................20
Accessing the SSL VPN .....................................................................................................................23
Importing SSL Certicates .............................................................................................................23
Testing the SSL VPN ......................................................................................................................23
Things you need to know ...................................................................................................................25
SSL VPN Polices ................................................................................................................................26
Step-by-Step SSL VPN policy creation ..........................................................................................27
Appendix A - NetScaler Application Switch Conguration ...................................................................32
4
Introduction
Citrix NetScaler optimizes the delivery of web applications increasing security and improving
performance and Web server capacity. This approach ensures the best total cost of ownership (TCO),
security, availability, and performance for Web applications. The Citrix NetScaler solution is a comprehensive
network system that combines high-speed load balancing and content switching with state-of-the-art
application acceleration, layer 4-7 trafc management, data compression, dynamic content caching,
SSL acceleration, network optimization, and robust application security into a single, tightly integrated
solution. Deployed in front of application servers, the system signicantly reduces processing overhead
on application and database servers, reducing hardware and bandwidth costs.
Citrix Access Gateway is the only SSL VPN to securely deliver any application with policy-based
SmartAccess control. Users will have easy-to-use secure access to all of the enterprise applications
and data they need to be productive and IT can cost effectively extend access to applications while
maintaining security through SmartAccess application-level policies. With Access Gateway organizations
are empowered to cost effectively meet the anywhere access demands of all workers enabling exible
work options, easier outsourcing and non-employee access, and business continuity readiness while
ensuring the highest-level of information security.
This deployment guide walks through the step-by-step conguration details of how to congure the Citrix
NetScaler for use as a SSL VPN gateway.
5
Solution Requirements
SSL VPN for all applications
Agentless connectivity, and Agent based connectivity
Split-Tunneling without network conicts
User/Group Restrictions to specic VLANs and IP Addresses
Prerequisites
Citrix NetScaler L4/7 Application Switch, running version 8.0+, (Quantity x 1 for single deployment,
Quantity x 2 for HA deployment).
Layer 2/3 switches, w/support for 802.1q Tagging & Trunking, (Quantity x 1)
Client laptop/workstation running Internet Explorer 6.0+.
VLAN Legend Primary NetScaler Primary/Secondary NetScaler Secondary NetScaler

VLAN 1
VLAN 10
VLAN 91
VLAN 92
TRUNK
IP Addresses:
NSIP: 10.217.104.51
SNIP: 10.217.104.53
Shared IP Addresses:
VIP: 67.97.253.92
SNIP: 169.145.91.239
SNIP: 169.145.92.239
VLAN 10:
Interface 1/2, Untagged
SNIP: 67.97.253.91
VLAN 91:
Interface 1/4, Tagged
MIP: 169.145.91.240
VLAN 92:
Interface 1/4, Tagged
MIP: 169.145.92.240
VLAN 4:
Trunking ON
VLAN 1: (Mgmt)
MIP: 10.217.104.50
IP Addresses:
NSIP: 10.217.104.52
SNIP: 10.217.104.54
6
The following is the Network that was used to develop this deployment guide, and is representative of a solution implemented at a customer site.
Network Diagram
Int0/1
Admin
VLAN 1
67.253.97.0
Int1/4 Int1/2
VLAN 10
VLAN 92
VLAN 91
Citrix
NetScaler
https://vpn.citrixlabs.com
Applications
Apps1.citrixlabs.com
169.145.91.0
Apps2.citrixlabs.com
169.145.92.0
Vlan
Trunk
7
Serial: 9600, n, 8, 1
Default IP Address:
192.168.100.1

First time connectivity
Serial Connection
The NetScaler can be accessed by the serial port through any
terminal emulation program. Windows Hyperterm is commonly
used on a laptop or workstation. Connect a 9-pin Null Modem
cable from the computer to the NetScalers console port. In the
terminal emulation program congure the settings for 9600 baud,
No stop bits, 8 data bits, and 1 parity bit. The login prompt should
appear. The default login is nsroot, nsroot. It is advisable to change
the nsroot password once connected.
Once connected type in the CLI command congns (nscong if
at the shell prompt). Select option 1 to change the NetScaler IP
Address and Network Mask. Exit, save and reboot.
Ethernet Connection
The NetScaler can also be accessed by the default IP Address
of 192.168.100.1, either through an http, https, telnet or ssh
connection. Once connected, the login prompt should appear.
The default login is nsroot, nsroot. It is advisable to change the
nsroot password once connected.
Type in the CLI command congns (nscong if at the shell
prompt). Select option 1 to change the NetScaler IP Address and
Network Mask. Exit, save and reboot.
Note: Changing the NetScaler IP Address always requires a
reboot.
8
NetScaler Conguration
Deployment Model: Netscaler High Availability, Two-Arm Mode, SSL VPN
The NetScaler SSL VPNs in this example will be deployed as a high availability pair, in two-arm mode.
Always start with the rst NetScaler. The NetScalers in Two-Arm mode provide the utmost is site
security, as they provide a full reverse-proxy gateway to intercept incoming trafc before it is sent to the
Applications on the backend. Once the initial NetScaler IP Address (NSIP) has been congured, you can
connect to both the Primary and Secondary NetScalers via a http or https web browser connection.
Connect to the NetScaler
via the NSIP using a web
browser.

In this example:
NS1: http://10.217.104.51
NS2: http://10.217.104.52
Note: Java will be installed.
Default login is: nsroot,
nsroot.
Ethernet
1.
9
In a High Availability deployment, one Application Switch actively accepts connections and manages
servers, while the second monitors the rst. If the rst Application Switch quits accepting connections for
any reason, the second Application Switch takes over and begins actively accepting connections. This
prevents downtime and ensures that the services provided by the Application Switch will remain available
even if one Application Switch ceases to function.
Important Considerations for NetScaler High Availability
The passwords for both NetScalers nsroot account must match. You must change these manually
on the switches, they are not synchronized.
The maximum node ID for Application Switches in an HA pair is 64.
Both NetScaler HA peers must be running the same version of code.
The conguration les in ns.conf must match on both NetScalers. For this to happen, the following
must occur:
The primary and secondary NetScaler Application switches must be congured with their own
unique NSIPs.
The node id and IP Address of one Application switch must point to the other Application
switch (its HA peer).
You must congure RPC node passwords onto both Applicaiton switches. Initially, all
Application Switches are congured with the same RPC node password. To enhance security,
you should change these default RPC node passwords.
While connected to the

Primary NetScaler, add the
Secondary node.
In the NetScaler GUI,
navigate to: NetScaler
System High Availability
Add.
Enter the Node ID and IP
address for the Secondary
HA peer.
In this example:
2, and 10.217.104.52.
Note:
It is important to turn Off HA Monitoring on interfaces that it is not intended for, otherwise HA Node
Synchronization will not be successful.
In the NetScaler GUI: Navigate to NetScaler > Network > Interfaces.
Double-click the interface number(s), and turn Off HA Monitoring.
2.
10
Connect to the Secondary
NetScaler and tell it to take
the Secondary role.
Navigate to NetScaler
System High Availability
Open Stay Secondary.
Connect to the Secondary
NetScaler and add the
Primary node.
Enter the Node ID and IP
address for the Primary HA
peer.
In this example:
1, and 10.217.104.1.
Both Primary and Secondary
must be congured to
Actively participate in HA.
In the NetScaler GUI on
the Primary: Navigate to
NetScaler System High
Availability ID 0 Open.
Select HA Status Enabled.
Enable HA Synchronization.
Enable HA Propagation.
Click Ok.
Repeat for Secondary.
4a. 4a.
4b.
11
Both Primary and Secondary
must be congured to
Actively participate in HA.
In the NetScaler GUI on
the Primary: Navigate to
NetScaler System High
Availability ID 0 Open.
Select HA Status Enabled.
Enable HA Synchronization.
Enable HA Propagation.
Click Ok.
Repeat for Secondary.
4a. 4a. 4c.
12
A successful HA
Synchronization can be
viewed from the High
Availability screen on either
the Primary or Secondary
nodes GUI.
From the same screen you
can Force Synchronization
or Force Failover.
5. 5.
High Availability Command Synchronization
In a correct HA setup, any command issued on the primary Application Switch will propagate
automatically to the secondary Application Switch. Some reasons why command synchronization
may not work:
Network connectivity is down
Resources are not available on the Secondary Application switch
Authentication failure, (nsroot and/or rpc node)
HA Monitoring is not turned On, Off on same interfaces for both nodes
TIP: Disabling the blinking LCD Panel

The LCD panel on the front of the NetScaler will ash intermittently until the unused interfaces are disabled
and HA monitoring is turned off on them. In the GUI, Navigate to NetScaler > Network > Interfaces.
Select an interface, right-click to disable. Right-click to Open, and disable HA monitoring.
Add a Default Route
Add a default route.
NetScaler Network
Route Add
In this example,
Network 0.0.0.0,
Netmask 0.0.0.0,
Gateway 67.97.253.1.
6. 6. Optional:
Because we have a Subnet
IP Address (SNIP) on the
Public Interface 1/2, this
isnt really necessary.
13 13
Important NetScaler IP Addresses
Acronym Description Usage
Note: NSIP is Mandatory and requires a reboot.
NSIP NetScaler IP Address The NetScaler IP (NSIP) is the management IP address for the
appliance, and is used for all management related access to the
appliance. There can only be one NSIP.
MIP Mapped IP Address The mapped IP address (MIP) is used by the Application Switch
to represent the client when communicating with the backend
managed server. Mapped IP addresses (MIP) are used for server-
side connections and Reverse NAT. Think of this as the clients
source address on the server-side of the Application Switch,
assuming a two-arm proxy deployment. In this example you can
think of it as the Tagged VLAN IP.
SNIP Subnet IP Address The Subnet IP address (SNIP) allows the user to access an
Application Switch from an external host that is residing on another
subnet. When a subnet IP address is added, a corresponding
route entry is made in the route table. Only one such entry is
made per subnet. The route entry corresponds to the rst IP
address added in the subnet.
VIP Virtual IP Address The Virtual Server IP address (VIP) is used by the Application
Switch to represent the public facing ip address of the managed
services. ARP and ICMP attributes on this IP address allow
users to host the same vserver on multiple Application Switches
residing on the same broadcast domain.
DFG Default Gateway IP Address of the router that forwards trafc outside of the subnet
where the appliance is installed.
Add the remaining IP Addresses
IP Addresses that are added after HA Synchronization is complete, will be replicated on both Primary
and Secondary NetScalers.
Add the remaining IP
Addresses.
NetScaler Network IPs
Add.
Make sure you take this
opportunity to Save the
conguraiton on both the
Primary and Secondary
NetScalers.
7.
14
Create VLANs and Assign
Mapped IP Addresses to
them.
NetScaler Network
VLANs Add.
For this example: We create
VLANs 4, 10, 91, 92. Only
VLANs 91 and 92 are
tagged.
Interface 0/1 is our
management interface, in
VLAN 1.
Interface 1/2 is our public
interface, in VLAN 10.
Interface 1/4 is the server
side interface, and will be
used as our 802.1q VLAN
Trunk.
The corresponding port
on the Layer 2 switch will
be congured for 802.1q
Trunking.
NetScaler Network
VLANs, to view VLAN and
Interface assignments on
the Application switch.
IP Addresses, Interfaces and VLANs
Assigning IP Addresses to Interfaces is done virtually through the use of port based VLANs.
By default, all the interfaces on the system are in a single port-based VLAN as untagged interfaces.
This VLAN is the default VLAN with a VID equal to 1.
When an interface is added to a new VLAN as an untagged member, the interface is automatically
removed from the default VLAN and placed in the new VLAN. This becomes a convenient feature,
such that when we plug the Netscaler into a Switch that is using VLANs with tagging, we only need to
check the box, to turn on tagging. VLANs are typically used to separate subnet trafc.
If Trunking is turned On, you will see an interface as a member of more than one VLAN.
8.
Note:
15
Assign a VMAC.
Navigate to NetScaler
Network VMAC Add.
Add a Virtual Router ID to the
Interface that HA Monitoring
is enabled on.
Conguring the Virtual MAC
The Virtual MAC address (VMAC) is a oating entity shared by the primary and secondary nodes in an
HA setup.
In an HA setup, the primary node owns all of the oating IP addresses such as MIP, SNIP, VIP, etc. It
responds to ARP requests for these IP addresses with its own MAC address. As a result, the ARP table
of an external device (for example, upstream router) is updated with the oating IP address and the
primary nodes MAC address.
When a failover occurs, the secondary node takes over as the new primary node. It then uses Gratuitous
ARP to advertise the oating IP addresses that it acquired from the primary. The MAC address that the
new primary advertises is that of its own interface.
Some devices do not accept Gratuitous ARP messages. You can overcome this problem by conguring
a VMAC on both nodes of an HA pair. This implies that both the nodes possess identical MAC addresses.
As a result, when failover occurs, the MAC address of the secondary node remains unchanged and ARP
tables on the external devices do not need to be updated.
To create a VMAC, you need to create a VRID and bind it to an interface. In an HA setup, you need
to bind it to the interfaces on both the primary and secondary nodes. When the VRID is bound to an
interface, the system generates a VMAC with the VRID as the last octet. The generic VMAC is of the
form 00:00:5e:00:01:<VRID>.
9.
16
SSL Keys & Certicates
Obtaining Keys and Certicates
Using any of the SSL features on the NetScaler requires that you obtain a certicate and private key for
the NetScaler. An SSL certicate is a digital data form (X509) that identies a particular company (domain)
or an individual. An SSL key is the private component of the public-private key pair used in asymmetric
key encryption (public key encryption).
Note: The Application Switch supports a certicate key size of up to 2,048 bits (RSA/DSA).
There are three ways to obtain keys and certicates for use with the Application Switch.
1) Create a self-signed certicate using the SSL certicate wizard.
2) Use an existing one, either root or intermediary, from an existing web server.
3) Obtain one from a public CA-Certicate Authority, such as Verisign.
In this guide we will use the Application Switch to generate a self-signed certicate. Refer to the Installation
and Conguration Guide, NS_ICG_V1.pdf, for instructions on how to use an existing certicate or obtain
one from a CA. NS_ICG_V2.pdf provides more detail surrounding SSL VPN conguration and should
be used as another reference.
Using the SSL Certicate Wizard
To launch the SSL Certicate
Wizard, from the GUI,
navigate to NetScaler
SSL.
Click on the <Certicate
Wizard>.
The Application Switch
supports a certicate key
size of up to 2048 bits (RSA/
DSA).
All generated keys and
certicates are created
under directory /nscong/ssl
on the Application Switch.
To get to this directory,
login, and type the shell
CLI command.
10.
Note:
Tip:
If you are in a rush to complete a proof of concept or a test environment, skip this section and use the
Certicate creation tool inside of the SSL VPN Wizard in the next section, it is much easier.
17
Once past the introduction
screen, enter the name for
the le to store the ssl keys
in.
Common key strength
values: 512, 1024, 2048.
11.
Enter a lename to store the
request.
Select the PEM format for
CA. Enter a passphrase.
Enter the X509 elds.
12.
18
Enter the lename for the
SSL Certicate. You will
need to nd this one later.
Make sure you select Root
CA certicate, as this is a
self-signed root certicate.
Enter a passphrase.
Enter a time period this
certicate is valid for. 3650
is equivalent to 10 years.
More stringent security rules
would dictate shorter time
periods.
13.
TIP:
Common Name:
The common name should match the name used by DNS servers during a DNS lookup of your virtual
server (for example, vpn.citrixlabs.com). Most browsers use this information for authenticating the
virtual servers certicate during the SSL handshake. If the virtual server DNS name does not match
the common name as given in the server certicate, the browsers will terminate the SSL handshake or
prompt the user with a warning message. Do not use wildcard characters such as * or ? and do not
use an IP address as a common name. The common name should be without the protocol specier
http:// or https://.
Organization Name:
The organization name (corporation, limited partnership, university, or government agency) must be
registered with some authority at the national, state, or city level. Use the legal name under which
the organization is registered. Do not abbreviate the organization name and do not use the following
characters in the name: < > ~ ! @ # $ % ^ * / \ ( )?. For example, Citrix Systems, Inc.
19
Enter a kay pair lename and
passphrase.
Then select Finish.
14.
TIP:
Now is a good time to log into the GUI on both the Primary and Seconary NetScaler and make sure
the SSL Certicate exists on both systems. If the certicate les (request, key, certicate) did not get
replicated from the Primary to the Secondary HA unit, then creating the SSL VPN will be difcult.
Make sure the SSL Certicate les exist on both the Primary and Secondary. The most efcient way
to do this is to SSH into the Primary node, and enter the sync HA les all command.
You can also download / upload certicate les using a tool called WinSCP. http://winscp.net/.
The certicate les are stored in the /nscong/ssl directory.
This is also a good time for Force Synchronization and save conguraitons.
Once the SSL VPN is completely congured, you will want to perform a Force Failover to make sure
the VPN comes up on the Secondary unit to ensure the certicates have been replicated across the
HA systems.
20
The SSL VPN Wizard
simplies the process of
creating the SSL VPN
conguration.
From the GUI, navigate to
NetScaler SSL VPN.
In the right-hand frame,
select <SSL VPN Wizard>.
16.
First the SSL VPN feature
needs to be enabled.
NetScaler System
Settings Basic Features.
Cllick on <basic features>
and check the SSL VPN
box.
15.
SSL VPN Conguration
SSL VPN Wizard
This section walks through the steps to congure a basic SSL VPN using the SSL VPN Wizard. The basic
conguration steps are: Enable the SSL VPN feature, Create an SSL VPN virtual server, Congure name
resolution for VPN clients, and Congure the VPNs SSL certicate(s).
21
Specify the SSL Certicate.
Click on the rst drop down
menu on the right-hand
frame, and select the name
of the certicate created
earlier in the exercise.
If you skipped the certicate
creation in the previous
section, you can create one
quickly for testing by clicking
on the second button.
18.
17. After the Introduction,
create the Virtual Server for
the SSL VPN by entering
the Public IP Address that
users will access the SSL
VPN by. Also enter the port
and FQDN.
22
Enter a local username
and password for
authentication.
Later on, you can congure
other types of authentication
using external resources,
such as LDAP, RADIUS,
Client Certicate, Active
Directory and TACACS.
Review and select Finish.
If the Virtual Server does
not come up, make sure
the licenses match on the
Primary and Secondary
devices.
20.
Add the Domain Name
Server and select DNS.
19.
Note:
23
Accessing the SSL VPN
Importing SSL Certicates
If you followed the tip in the previous section on the use of Common Name and Organization Name,
then there is one more step to enable your clients. Download the SSL Certicate from the Primary
or Secondary Applicaiton Switch and Import the certicate into the web browser as a Trusted Root
Certicate Authority.
Internet Explorer: Navigate to Tools Internet Options Content. Certicates Trusted Root
Certicate Authorities Import.
Firefox: Navigate to Tools Options View Certicates. Select the Authorities Tab Import.
Testing the SSL VPN
To access the SSL VPN, you need to launch a browser and point it to the Virtual Server IP Address (VIP)
created in the previous section. This is the public facing IP Address. For example, in the lab used in this
guide, https://67.97.253.92 ~or~ https://vpn.citrixlabs.com.
At the logon screen, enter the username and password of the user account you created earlier. If the
user authenticates correctly, you will see the window shown on the next page.
Note:
If you see a certicate warning before the login window appears, this may be because the VPN is
using a self-signed certicate or an invalid certicate. If you used a self-signed certicate, you can
ignore this warning.
If you used a certicate signed by a CA, however, there is a problem with the certicate, so close the
warning by clicking the No button. Verify that you generated the site certicate correctly if you used
a signed CSR, and that the distinguished name data entered in the CSR is accurate. Check that the
congured certicates common name corresponds to the congured virtual server IP information.
If the login screen does not appear, or if you received a different error, review the setup process and
conrm that all steps were performed correctly and that all parameters were entered accurately.
24
Enter the username and
password created earlier.
21.
When authentication is
successful, the following
screen appears.
You have the option of
downloading the SSL VPN
Agent.
25
Things you need to know
There are two ways to access the SSL VPN
1) Agentless (using a web browser plug-in)
The SSL VPN does not need a client or agent, which is what makes SSL VPN so attractive, affordable
and efcient. You can require all users to access the SSL VPN by only using the web browser.
2) Agent Login (using an agent installed on the users computer)
When you congure the SSL VPN Policies you will notice under the VPN Global Settings, Client
Experience, Windows Client Type, there are two types of clients. Agent and Plugin. Agent=Windows
Agent Client, Plugin=Active-X client ~or~ Java applet client.
Windows users will use either the Agent (Agent login) or Active-X client or Java applet client (Agentless
login), while other OSs will use the Java applet client. The Transparent Inspection setting determines
which Client gets downloaded. Also keep in mind the ActiveX and Java clients behave differently and
have differing depths of features.
The Windows Active-X plug-in intelligently intercepts trafc to be tunneled to the private intranet.
Alternatively, the Java applet plug-in, available for both Windows and non-Windows operating
systems, does not intercept trafc transparently and hence native client/server applications need to
be specically congured on the system. Once these applications are congured on a port basis, the
Java applet plug-in listens on those pre-conguredapplication ports via the clients loopback interface
in order to manage the clients connections.
Split Tunneling
Split tunneling allows an ActiveX client to distinguish between SSL VPN trafc and other trafc based
on destination IP, and direct only SSL VPN trafc through the SSL VPN tunnel. However, setting Split
Tunnel to ON, will enable the trafc to bypass the secure Netscaler VPN tunnel.
With split tunnel set to OFF, all user trafc is tunneled through the secure NetScaler SSL VPN tunnel.
Setting split tunnel to Reverse will enable all trafc except Trafc directed to IP addresses belonging
to the intranet network domains congured on the SSL VPN to pass through the secure NetScaler
VPN tunnel.
Cleanup
The Client Cleanup Prompt controls the display of the Client Cleanup pop-up window that appears
on Windows client machines on exiting the SSL VPN session. If prompted, the user can select the
data that needs to be removed. However, certain types of data can be automatically removed by
conguring the force cleanup option.
Client Cleanup can be automatically performed, by turning OFF the Client Cleanup Prompt and setting
the Cleanup options in advanced settings.
Home Page
When a VPN user logs in, the default SSL VPN portal page is presented to the user. On conguring
the home page URL option, the system will redirect the VPN users browser to the URL specied in
the Home Page eld. If the option is unchecked, no homepage will be displayed after the SSL VPN
user logs in.
26
SSL VPN Polices
Evaluated in the following order, these policies give you control over clients as they access the resources
within the Intranet. If none of the policies match those bound to users or groups, then global policies will
be evaluated and applied.
Authentication policy
In the SSL VPN, there are ve types of policies available for managing your conguration dynamically.
Authentication policies are used to dene what type of authentication method to ascribe to users.
These policies are applied rst by the system in order to determine who is allowed to log in to the
SSL VPN.
Session policy
The VPN Session Policy regulates how clients are congured. With VPN session policies, you may
dene policies to set various client Agent (ActiveX) or Plug-in (Java) parameters such as client security
checks and proxy congurations. VPN session policies are evaluated based on client source network
after user authentication has been performed. VPN Session policies are useful for directing clients to
specic home pages or CPS Server farms, and setting ICA Proxy ON or OFF.
Authorization policy
The Authorization policy is used to control which resources SSL VPN clients may access. Each time a
client attempts to access an intranet resource through the SSL VPN, all the authorization policies for
that user are evaluated to determine whether the user is allowed to access that resource before the
user is given access to the resource.
Trafc policy
VPN Trac policies further rene how clients are to access resources. With VPN trafc policies, you
can customize VPN session trafc parameters such as what application timeout interval to apply to
client sessions. These policies can be evaluated based on requested resource location data such as
an IP address, port number, or a URL.
Intranet Applications policy
Intranet Applications are applications which can be accessed through the VPN. When split tunneling
in ON, only trafc to the congured intranet applications are tunnelled through the VPN.
Tunnel policy
Tunnel trac policy is used to control available trafc acceleration services including compression.
Tunnel trafc policies evaluate what services to apply based on requested resource destination IP
address, port, or URL.
Intranet IPs policy
Intranet IP Addresses allow you to provide a range of IP Addresses to be used as a resource for a
dened group of users. Think of it as a built-in DHCP server. it works off of the CIDR principle, so you
will need to break out your subnet calculator.
27
The rst thing to do is
launch the SSL VPN Policy
Manager.
NetScaler SSL VPN. In
the right-side frame, second
from the top, click on <SSL
VPN Manager>
Up pops the SSL VPN
Manager GUI.
22.
Step-by-Step SSL VPN policy creation
Create a new group to
assign our policies to.
In this example, we create a
group called sslvpn.
We add our vpn user vpn1
to this group.
23.
28
The rst Authorization policy
we create is to allow anyone
to come into the VPN.
So our rst Auth policy
is REQ.IP.SOURCEIP ==
0.0.0.0 -netmask 0.0.0.0.
24.
The second Authorization
policy we create is to only
allow users who are destined
for the 91 Subnet which is
also VLAN 91.
So our second Auth policy
is REQ.IP.DESTIP ==
169.145.91.0 -netmask
255.255.255.0.
25.
29
The next step is to Create a
New Session Policy.
Add an expression to match
ns_true so the policy
evaluates to true.
26.
And the Session Action
which dictates all of the end
user Client behavior.
Here we are conguring
Windows clients to use
the Agent client with Split
Tunneling, a session timeout
and transparent inspection.
We selected Advanced
settings and congured
the VPN to automatically
cleanup the clients les
when they logout of the
VPN.
27.
30
Create an Intranet policy
to allow users access to
Subnet 91 (Vlan 91).
28.
Finally bind an IP Subnet
range for users to be
assigned IP Addresses
from. This can only done
directly to the resources in
the left-side frame of the
SSL VPN Policy Manager.
Open up the sslvpn group
created earlier, under
Intranet IPs, bind new
intranet ip.
Think of this as a built-in
DHCP server that assigns
IP Addresses.
29.
31
Finally, bind all of these
policies together to the
sslvpn group, so that
when the user vpn1 logs
in, they are bound to those
policies.
Do this by click-hold and drag
from the Available Policies
frame in the center of the
SSL VPN Policy Manager,
to the Congured Policies
in the left-side frame, under
groups, sslvpn.
30.
Test the connection from a
client machine.
After logging into the SSL
VPN, do a right-click on the
ActiveX client in the system
trap, and select Congure.
Here you can view the
conguration details for the
client to see if the policies
were correctly pushed down
to the client.
From the same client, right-
click to logout of the SSL
VPN.
31.
32
Appendix A - NetScaler Application Switch
Conguration
Primary NetScaler
#NS8.0 Build 49.2
# Last modied by `save cong`, Sun Dec 23 23:21:57 2007
set ns cong -IPAddress 10.217.104.51 -netmask 255.255.255.0
enable ns feature CMP SSLVPN SSL
set lacp -sysPriority 32768
set system user nsroot 1b8c0fd3800004c04ecd8f170ec96e3d2c597e739e223fced -encrypted
set interface 0/1 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED -throughput 0
set interface 1/1 -speed AUTO -duplex AUTO -owControl RX -autoneg ENABLED -haMonitor OFF -trunk OFF -lacpMode DISABLED -
throughput 0
throughput 0
throughput 0
set interface 1/4 -speed 1000 -duplex FULL -owControl RX -autoneg DISABLED -haMonitor OFF -trunk ON -lacpMode DISABLED -
throughput 0
throughput 0
throughput 0
throughput 0
throughput 0
add HA node 2 10.217.104.52
add ns ip 10.217.104.54 255.255.255.0 -vServer DISABLED -gui SECUREONLY -mgmtAccess ENABLED
add ns ip 169.145.91.239 255.255.255.0 -vServer DISABLED -telnet DISABLED -ftp DISABLED -gui DISABLED -ssh DISABLED -snmp
DISABLED
DISABLED
add ns ip 169.145.92.240 255.255.255.0 -type MIP -vServer DISABLED -telnet DISABLED -ftp DISABLED -gui DISABLED -ssh DISABLED
-snmp DISABLED
33
-snmp DISABLED
add ns ip 10.217.104.50 255.255.255.0 -type MIP -vServer DISABLED -gui SECUREONLY -mgmtAccess ENABLED
DISABLED
add vlan 4
add vlan 10
add vlan 91
add vlan 92
bind vlan 4 -ifnum 1/4
bind vlan 10 -IPAddress 67.97.253.91 255.255.255.0
bind vlan 91 -ifnum 1/4 -tagged
add vrID 60
bind vrID 60 -ifnum 0/1
set locationParameter -context geographic -q1label Continent -q2label Country -q3label Region -q4label City -q5label ISP -q6label
Organization
add policy expression users SOURCEIP == 0.0.0.0 -netmask 0.0.0.0
add aaa user vpn1 -password c83f1e11 -encrypted
add aaa group sslvpn
add vpn intranetApplication Intranet-Subnet-91 ANY 169.145.91.0 -netmask 255.255.255.0 -destPort 1-65535 -interception
TRANSPARENT
add authorization policy Auth91 REQ.IP.DESTIP == 169.145.91.0 -netmask 255.255.255.0 ALLOW
add authorization policy AuthAllInbound REQ.IP.SOURCEIP == 0.0.0.0 -netmask 0.0.0.0 ALLOW
add vpn vserver vpn.citrixlabs.com SSL 67.97.253.92 443 -maxAAAUsers 5 -downStateFlush DISABLED
set ns rpcNode 10.217.104.51 -password 8a7b474124957776a0cd31b862cbe4d72b5cbd59868a136d4bdeb56cf03b28 -encrypted -srcIP
10.217.104.51
10.217.104.51
set responder param -undefAction NOOP
set rewrite param -undefAction NOREWRITE
34
add dns nameServer 66.165.176.28 -state DISABLED
set dns parameter -nameLookupPriority DNS
add ssl certKey ns-server-certicate -cert ns-server.cert -key ns-server.key
add ssl certKey citrixlabs.keypair -cert citrixlabs.cer -key citrixlabs.key -inform DER
set ssl service nshttps-67.97.253.91-443 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-67.97.253.91-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set ssl service nsrpcs-169.145.91.240-3008 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect
DISABLED
DISABLED
DISABLED
DISABLED
set ssl service nskrpcs-127.0.0.1-3009 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set cache parameter -memLimit 0 -via NS-CACHE-8.0: 1 -verifyUsing HOSTNAME_AND_IP -maxPostLen 0 -prefetchMaxPending
4294967294 -enableBypass YES
set cache contentGroup BASEFILE -relExpiry 86000 -maxResSize 256 -memLimit 2
set cache contentGroup DELTAJS -relExpiry 86000 -insertAge NO -maxResSize 256 -memLimit 1 -pinned YES
set aaa parameter -maxAAAUsers 5
add vpn sessionAction SessAction91 -windowsClientType AGENT -defaultAuthorizationAction ALLOW -homePage http://169.145.91.151/
Citrix/AccessPlatform/ -icaProxy ON -ntDomain Srv1
add vpn sessionAction SessAction92 -homePage http://169.145.92.152/Citrix/AccessPlatform/ -icaProxy ON -ntDomain Srv2
add vpn sessionAction userAction -sessTimeout 20 -windowsClientType AGENT
35
add vpn sessionAction SessionAct91 -sessTimeout 10 -splitTunnel ON -transparentInterception ON -windowsClientType AGENT -
defaultAuthorizationAction ALLOW -clientCleanupPrompt OFF -forceCleanup all -homePage none -icaProxy OFF
add vpn sessionPolicy SessPolicy91 ns_true SessAction91
add vpn sessionPolicy users REQ.IP.SOURCEIP == 0.0.0.0 -netmask 0.0.0.0 userAction
add vpn sessionPolicy SessionPol91 ns_true SessionAct91
set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_true
set vpn parameter -splitDns BOTH -splitTunnel ON -killConnections OFF -defaultAuthorizationAction DENY -proxy OFF -proxyLocalBypass
DISABLED -forceCleanup all -clientOptions all -clientConguration all -SSO OFF -windowsAutoLogon OFF -clientDebug OFF -homePage
none -icaProxy OFF -ClientChoices OFF -epaClientType PLUGIN
bind aaa group sslvpn -userName vpn1
bind aaa group sslvpn -intranetIP 169.145.91.0 255.255.255.224
bind aaa group sslvpn -policy Auth91
bind aaa group sslvpn -policy SessionPol91
bind aaa group sslvpn -intranetApplication Intranet-Subnet-91
bind tunnel global ns_tunnel_cmpall_gzip
set lb sipParameters -addRportVip ENABLED
bind ssl service nshttps-67.97.253.91-443 -certkeyName ns-server-certicate
bind ssl service nsrpcs-67.97.253.91-3008 -certkeyName ns-server-certicate
bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certicate
36
bind ssl vserver vpn.citrixlabs.com -certkeyName citrixlabs.keypair
set ns hostName nsPrimary
Secondary NetScaler
#NS8.0 Build 49.2
# Last modied by `save cong`, Fri Dec 21 22:27:18 2007
set ns cong -IPAddress 10.217.104.52 -netmask 255.255.255.0
enable ns feature CMP SSLVPN SSL
set lacp -sysPriority 32768
set system user nsroot 1b8c0fd3800004c04ecd8f170ec96e3d2c597e739e223fced -encrypted
set interface 0/1 -speed AUTO -duplex AUTO -autoneg ENABLED -haMonitor ON -trunk OFF -lacpMode DISABLED -throughput 0
throughput 0
set interface 1/2 -speed AUTO -duplex AUTO -owControl RX -autoneg ENABLED -haMonitor OFF -trunk OFF -state DISABLED -lacpMode
DISABLED -throughput 0
throughput 0
set interface 1/4 -speed AUTO -duplex AUTO -owControl RX -autoneg ENABLED -haMonitor OFF -trunk ON -lacpMode DISABLED -
throughput 0
throughput 0
throughput 0
throughput 0
throughput 0
add HA node 1 10.217.104.51
add ns ip 10.217.104.54 255.255.255.0 -vServer DISABLED -gui SECUREONLY -mgmtAccess ENABLED
DISABLED
DISABLED
37
-snmp DISABLED
-snmp DISABLED
add ns ip 10.217.104.50 255.255.255.0 -type MIP -vServer DISABLED -gui SECUREONLY -mgmtAccess ENABLED
DISABLED
add vlan 4
add vlan 10
add vlan 91
add vlan 92
add vrID 60
bind vrID 60 -ifnum 0/1
set locationParameter -context geographic -q1label Continent -q2label Country -q3label Region -q4label City -q5label ISP -q6label
Organization
add policy expression users SOURCEIP == 0.0.0.0 -netmask 0.0.0.0
add aaa user vpn1 -password c83f1e11 -encrypted
add aaa group sslvpn
add vpn intranetApplication Intranet-Subnet-91 ANY 169.145.91.0 -netmask 255.255.255.0 -destPort 1-65535 -interception
TRANSPARENT
add authorization policy Auth91 REQ.IP.DESTIP == 169.145.91.0 -netmask 255.255.255.0 ALLOW
add authorization policy AuthAllInbound REQ.IP.SOURCEIP == 0.0.0.0 -netmask 0.0.0.0 ALLOW
add vpn vserver vpn.citrixlabs.com SSL 67.97.253.92 443 -maxAAAUsers 5 -downStateFlush DISABLED
10.217.104.52
10.217.104.52
set responder param -undefAction NOOP
38
set rewrite param -undefAction NOREWRITE
add dns nameServer 66.165.176.28 -state DISABLED
set dns parameter -nameLookupPriority DNS
add ssl certKey ns-server-certicate -cert ns-server.cert -key ns-server.key
add ssl certKey citrixlabs.keypair -cert citrixlabs.cer -key citrixlabs.key -inform DER
DISABLED
DISABLED
DISABLED
DISABLED
set ssl service nskrpcs-127.0.0.1-3009 -sessReuse ENABLED -sessTimeout 120 -cipherRedirect DISABLED -sslv2Redirect DISABLED
set cache parameter -memLimit 0 -via NS-CACHE-8.0: 1 -verifyUsing HOSTNAME_AND_IP -maxPostLen 0 -prefetchMaxPending
4294967294 -enableBypass YES
set cache contentGroup BASEFILE -relExpiry 86000 -maxResSize 256 -memLimit 2
set cache contentGroup DELTAJS -relExpiry 86000 -insertAge NO -maxResSize 256 -memLimit 1 -pinned YES
set aaa parameter -maxAAAUsers 5
add vpn sessionAction SessAction91 -windowsClientType AGENT -defaultAuthorizationAction ALLOW -homePage http://169.145.91.151/
Citrix/AccessPlatform/ -icaProxy ON -ntDomain Srv1
add vpn sessionAction SessAction92 -homePage http://169.145.92.152/Citrix/AccessPlatform/ -icaProxy ON -ntDomain Srv2
39
add vpn sessionAction userAction -sessTimeout 20 -windowsClientType AGENT
add vpn sessionAction SessionAct91 -sessTimeout 10 -splitTunnel ON -transparentInterception ON -windowsClientType AGENT -
defaultAuthorizationAction ALLOW -clientCleanupPrompt OFF -forceCleanup all -homePage none -icaProxy OFF
add vpn sessionPolicy users REQ.IP.SOURCEIP == 0.0.0.0 -netmask 0.0.0.0 userAction
add vpn sessionPolicy SessionPol91 ns_true SessionAct91
set aaa preauthenticationparameter -preauthenticationaction ALLOW -rule ns_true
set vpn parameter -splitDns BOTH -splitTunnel ON -killConnections OFF -defaultAuthorizationAction DENY -proxy OFF -proxyLocalBypass
DISABLED -forceCleanup all -clientOptions all -clientConguration all -SSO OFF -windowsAutoLogon OFF -clientDebug OFF -homePage
none -icaProxy OFF -ClientChoices OFF -epaClientType PLUGIN
bind aaa group sslvpn -userName vpn1
bind aaa group sslvpn -intranetIP 169.145.91.0 255.255.255.224
bind aaa group sslvpn -policy Auth91
bind aaa group sslvpn -policy SessionPol91
bind aaa group sslvpn -intranetApplication Intranet-Subnet-91
bind tunnel global ns_tunnel_cmpall_gzip
set lb sipParameters -addRportVip ENABLED
40
bind ssl service nskrpcs-127.0.0.1-3009 -certkeyName ns-server-certicate
bind ssl vserver vpn.citrixlabs.com -certkeyName citrixlabs.keypair
set ns hostName nsSecondary
www.citrix.com
Citrix Worldwide
Worldwide headquarters
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, FL 33309
USA
T +1 800 393 1888
T +1 954 267 3000
Regional headquarters
Americas
Citrix Silicon Valley
4988 Great America Parkway
Santa Clara, CA 95054
USA
T +1 408 790 8000
Europe
Citrix Systems International GmbH
Rheinweg 9
8200 Schaffhausen
Switzerland
T +41 52 635 7700
Asia Pacic
Citrix Systems Hong Kong Ltd.
Suite 3201, 32nd Floor
One International Finance Centre
1 Harbour View Street
Central
Hong Kong
T +852 2100 5000
Citrix Online division
5385 Hollister Avenue
Santa Barbara, CA 93111
USA
T +1 805 690 6400
www.citrix.com
About Citrix
Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than
200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest
security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well
as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more
than 100 countries. Annual revenue in 2006 was $1.1 billion.
Citrix, NetScaler, GoToMyPC, GoToMeeting, GoToAssist, Citrix Presentation Server, Citrix Password Manager, Citrix Access Gateway, Citrix Access
Essentials, Citrix Access Suite, Citrix SmoothRoaming and Citrix Subscription Advantage and are trademarks of Citrix Systems, Inc. and/or one or more of its
subsidiaries, and may be registered in the U.S. Patent and Trademark Ofce and in other countries. UNIX is a registered trademark of The Open Group in the U.S. and
other countries. Microsoft, Windows and Windows Server are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks
and registered trademarks are property of their respective owners.

SSL VPN Deployment Guide: A Step-by-Step Technical Guide

Uploaded by

Copyright:

Available Formats

SSL VPN Deployment Guide: A Step-by-Step Technical Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SSL VPN Deployment Guide: A Step-by-Step Technical Guide

Uploaded by

Copyright:

Available Formats

SSL VPN

VLAN Legend Primary NetScaler Primary/Secondary NetScaler Secondary NetScaler

While connected to the

TIP: Disabling the blinking LCD Panel

You might also like